
%
% NOTE: This file is shared between the scalar and vector specifications.
%

In creating this proposal, we tried to adhere to the following
policies:

\policy{
Where there is a choice between:
1) supporting diverse implementation strategies for an algorithm
or
2) supporting a single implementation style which is more performant /
   less expensive;
the crypto extension will pick the more constrained but performant
option.
This fits a common pattern in other parts of the RISC-V specification,
where recommended (but not required) instruction sequences for performing
particular tasks are given as an example, such that both hardware and
software implementers can optimise for only a single use-case.
}

\policy{
The extension will be designed to support {\em existing} standardised
cryptographic constructs well.
It will not try to support proposed standards, or cryptographic
constructs which exist only in academia.
Cryptographic standards which are settled upon concurrently with, or after
the RISC-V cryptographic extension standardisation will be dealt with
by future additions to, or versions of, the RISC-V cryptographic
standard extension. It is anticipated that the NIST Lightweight
Cryptography contest, and the NIST Post-Quantum Cryptography contest
may be dealt with this way, depending on timescales.
}

\policy{
Historically, there has been some discussion \cite{LSYRR:04} on
how newly supported operations in general-purpose computing might
enable new bases for cryptographic algorithms.
The standard will not try to anticipate new useful low-level
operations which {\em may} be useful as building blocks for
future cryptographic constructs.
}

\policy{
Regarding side-channel countermeasures:
Where relevant, proposed instructions must aim to remove the
possibility of any timing side-channels.
For side-channels based on power or electro-magnetic (EM) measurements,
the extension will not aim to support countermeasures which are
implemented above the ISA abstraction layer.
Recommendations will be given where relevant on how micro-architectures
can implement instructions in a power/EM side-channel resistant way.
}

